Spamvertised ‘Your order for helicopter for the weekend’ themed emails lead to malware

Cybercriminals are currently mass mailing tens of thousands of emails, in an attempt to trick users into thinking that the order for their “air transportation services has been accepted and processed”. In reality though, once users execute the malicious attachments, their PCs will automatically become part of the botnet managed by the malicious actors.

Once executed, the sample creates the following processess on the affected hosts:C:\WINDOWS\system32\cmd.exe” /c “C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\exp1.tmp.bat””C:\Documents and Settings\<USER>\Application Data\KB00927107.exeC:\DOCUME~1\<USER>~1\LOCALS~1\Temp\exp2.tmp.exeC:\DOCUME~1\<USER>~1\LOCALS~1\Temp\exp4.tmp.exeC:\DOCUME~1\<USER>~1\LOCALS~1\Temp\exp6.tmp.exeC:\WINDOWS\system32\cmd.exe” /c “C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\exp3.tmp.bat””C:\WINDOWS\system32\cmd.exe” /c “C:\DOCUME~1\<USER>~1\LOCALS~1\Temp\exp5.tmp.bat””

The following Mutexes:Local\XMM00000340Local\XMI00000340Local\XMM00000530Local\XMI00000530Local\XMM00000630Local\XMI00000630Local\XMQ6C66A66ELocal\XMS6C66A66ELocal\XMR6C66A66ELocal\XMM000002BCLocal\XMI000002BCLocal\XMM000000A8Local\XMI000000A8Local\XMM000004A0Local\XMI000004A0Local\XMM000009A4Local\XMI000009A4Local\XMM00000A48Local\XMI00000A48Local\XMM00000EDCLocal\XMI00000EDC

The following Registry Keys:HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CFBDC89D4HKEY_CURRENT_USER\Software\Microsoft\Windows NT\S25BC2D7B

Set the following Registry Values:[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] -> KB00121600.exe = “”%AppData%\KB00121600.exe””

It then phones back to the following C&C servers:37.59.36.93:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/94.23.6.95:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/64.186.148.92:8080/DPNilBA/ue1elBAAAA/tlSHAAAAA/213.214.74.5:8080/AJtw/UCyqrDAA/Ud+asDAA/91.121.167.124/J9/vp//EGa+AAAAAA/2MB9vCAAAA/91.121.30.185/J9/vp//EGa+AAAAAA/2MB9vCAAAA/

We’ve already seen one of the C&C IPs (213.214.74.5) in the following previously profiled malicious campaigns: